.github/workflows/subca-cmc-test.yml

name: Sub-CA with CMC

on:
  workflow_call:
    inputs:
      os:
        required: true
        type: string

jobs:
  # docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve runner image
        uses: actions/cache@v3
        with:
          key: pki-ca-runner-${{ inputs.os }}-${{ github.run_id }}
          path: pki-runner.tar

      - name: Load runner image
        run: docker load --input pki-runner.tar

      - name: Create network
        run: docker network create example

      - name: Set up root DS container
        run: |
          tests/bin/ds-container-create.sh rootds
        env:
          IMAGE: ${{ needs.init.outputs.db-image }}
          HOSTNAME: rootds.example.com
          PASSWORD: Secret.123

      - name: Connect root DS container to network
        run: docker network connect example rootds --alias rootds.example.com

      - name: Set up root PKI container
        run: |
          tests/bin/runner-init.sh root
        env:
          HOSTNAME: root.example.com

      - name: Connect root PKI container to network
        run: docker network connect example root --alias root.example.com

      - name: Install root CA in root container
        run: |
          docker exec root pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_hostname=rootds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_security_domain_name=ROOT \
              -D pki_cert_id_generator=random \
              -D pki_request_id_generator=random \
              -v

      - name: Update caCMCcaCert profile
        run: |
          # Reduce policyset.caCertSet.2.default.params.range such that
          # it generates a subordinate CA cert with shorter validity
          # which will not violate the CAValidityConstraint.
          docker exec root sed -i \
              -e "s/\(policyset.caCertSet.2.default.params.range\)=.*/\1=7300/" \
              /var/lib/pki/pki-tomcat/ca/profiles/ca/caCMCcaCert.cfg

          # restart CA subsystem
          docker exec root pki-server ca-redeploy --wait

      - name: Install root CA admin cert
        run: |
          docker exec root pki-server cert-export ca_signing --cert-file $SHARED/root-ca_signing.crt
          docker exec root pki client-cert-import ca_signing --ca-cert $SHARED/root-ca_signing.crt
          docker exec root pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec root pki -n caadmin ca-user-show caadmin

      - name: Check cert requests in root CA
        run: |
          docker exec root pki -n caadmin ca-cert-request-find

      - name: Set up subordinate DS container
        run: |
          tests/bin/ds-container-create.sh subds
        env:
          IMAGE: ${{ needs.init.outputs.db-image }}
          HOSTNAME: subds.example.com
          PASSWORD: Secret.123

      - name: Connect subordinate DS container to network
        run: docker network connect example subds --alias subds.example.com

      - name: Set up subordinate PKI container
        run: |
          tests/bin/runner-init.sh subordinate
        env:
          HOSTNAME: sub.example.com

      - name: Connect subordinate PKI container to network
        run: docker network connect example subordinate --alias sub.example.com

      - name: Install subordinate CA in subordinate container (step 1)
        run: |
          docker exec subordinate pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg \
              -s CA \
              -D pki_ds_hostname=subds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_ca_signing_csr_path=$SHARED/ca_signing.csr \
              -D pki_cert_id_generator=random \
              -D pki_request_id_generator=random \
              -v

      # https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-CMC
      - name: Issue subordinate CA signing cert with CMC
        run: |
          # check cert request
          docker exec root openssl req -text -noout -in $SHARED/ca_signing.csr

          # create CMC request
          docker exec root mv $SHARED/ca_signing.csr ca_signing.csr
          docker exec root CMCRequest \
              /usr/share/pki/server/examples/cmc/ca_signing-cmc-request.cfg

          # submit CMC request
          docker exec root HttpClient \
              /usr/share/pki/server/examples/cmc/ca_signing-cmc-submit.cfg

          # convert CMC response (DER PKCS #7) into PEM PKCS #7 cert chain
          docker exec root CMCResponse \
              -d /root/.dogtag/nssdb \
              -i ca_signing.cmc-response \
              -o $SHARED/ca_signing.p7b

          # check issued cert chain
          docker exec root openssl pkcs7 -print_certs -in $SHARED/ca_signing.p7b

      - name: Install subordinate CA in subordinate container (step 2)
        run: |
          docker exec subordinate pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-external-cert-step2.cfg \
              -s CA \
              -D pki_ds_hostname=subds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_cert_chain_path=$SHARED/root-ca_signing.crt \
              -D pki_ca_signing_csr_path=$SHARED/ca_signing.csr \
              -D pki_ca_signing_cert_path=$SHARED/ca_signing.p7b \
              -D pki_cert_id_generator=random \
              -D pki_request_id_generator=random \
              -v

      - name: Check subordinate CA signing cert
        run: |
          docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt

      - name: Check subordinate CA OCSP signing cert
        run: |
          docker exec subordinate pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
          docker exec subordinate openssl x509 -text -noout -in ca_ocsp_signing.crt

      - name: Check subordinate CA audit signing cert
        run: |
          docker exec subordinate pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
          docker exec subordinate openssl x509 -text -noout -in ca_audit_signing.crt

      - name: Check subordinate subsystem cert
        run: |
          docker exec subordinate pki-server cert-export subsystem --cert-file subsystem.crt
          docker exec subordinate openssl x509 -text -noout -in subsystem.crt

      - name: Check subordinate SSL server cert
        run: |
          docker exec subordinate pki-server cert-export sslserver --cert-file sslserver.crt
          docker exec subordinate openssl x509 -text -noout -in sslserver.crt

      - name: Check subordinate CA admin cert
        run: |
          docker exec subordinate openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert

      - name: Run PKI healthcheck
        run: docker exec subordinate pki-healthcheck --failures-only

      - name: Verify subordinate CA admin cert
        run: |
          docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b
          docker exec subordinate pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec subordinate pki -n caadmin ca-user-show caadmin

      - name: Check cert requests in subordinate CA
        run: |
          docker exec subordinate pki -n caadmin ca-cert-request-find

      - name: Gather artifacts from root containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/root rootds
          tests/bin/pki-artifacts-save.sh root
        continue-on-error: true

      - name: Gather artifacts from subordinate containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/subordinate subds
          tests/bin/pki-artifacts-save.sh subordinate
        continue-on-error: true

      - name: Remove subordinate CA from subordinate container
        run: docker exec subordinate pkidestroy -i pki-tomcat -s CA -v

      - name: Remove root CA from root container
        run: docker exec root pkidestroy -i pki-tomcat -s CA -v

      - name: Upload artifacts from root container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: subca-cmc-root-${{ inputs.os }}
          path: |
            /tmp/artifacts/root

      - name: Upload artifacts from subordinate container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: subca-cmc-subordinate-${{ inputs.os }}
          path: |
            /tmp/artifacts/subordinate